win2003 AD域 支持 LDAP SSL

参考http://www.linuxmail.info/enable-ldap-ssl-active-directory/

Enabling SSL in Active Directory allows clients to communicate securely with AD servers. This is also required to allow a user’s Active Directory password to be changed programmatically using LDAP.

This article will show you how to install the Certificate Services in Windows 2003 to enable LDAP SSL in Active Directory.

Before beginning, make sure the Internet Information Server (IIS) is installed in your server.

一、Installing the Certificate Services

1. Click Start, select Control Panel and clickAdd or Remove Programs.

2. In the Add or Remove Programs window, clickAdd/Remove Windows Components, check theCertificate Services and clickNext.

3. Click Next in the CA Type page.

4. Fill up the Common name for this CA and clickNext.

5. Click Next in the Certificate Database Settings page.

6. The Certificate Services will now be installed.

7. Click Finish and restart your server.

二、Configuring Automatic Certificate Request for Domain Controllers

1. Click Start, select Administrative Tools and clickDomain Controller Security Policy.

2. In the Default Domain Controller Security Settings window, click thePublic Key Policies folder.

3. Right click Automatic Certificate Request Settings, selectNew and clickAutomatic Certificate Request.

4. Click Next in the Automatic Certificate Request Setup Wizard.

5. Select Domain Controller in the Certificate Template page and clickNext.

6. Click Finish and reboot your server.

三、Check for Issued Certificate

1. Click Start, select Administrative Tools and clickCertification Authority. This will launch theCertification Authority application.

2. In Certification Authority, click the+ sign and check theIssued Certificates folder if your server has been issued a certificate.

Make sure your server has been issued a certificate, otherwise SSL communication will not work.

四、Export SSL Certificate(CA) in Windows Server 2003

How to Export an SSL Certificate in Windows Server 2003.

To communicate with the Active Directory server over the Secure Sockets Layer (SSL), you need an SSL enabled server and an SSL certificate for the client. SSL communication is required to programmatically change the Active Directory password.

This article will show you how to export an SSL certificate from an SSL enabled Windows Server 2003 to use the LDAP API over SSL.

1. Click Start, select Administrative Tools and click Certification Authority. This will launch theCertification Authority application.

2. Select a certification authority, press right click and clickProperties.

3. In the Properties window, click theView Certificate button.

4. In the Certificate window, click theDetails tab and click theCopy to File button.

5. Click Next in the Certificate Export Wizard window.

6. Select Base-64 encoded X.509 and click Next.

7. Specify the path and file name of the certificate and clickNext.

8. Finally, click Finish to export the certificate.

五、LDAP客户端使用SSL连接LDAP服务器注意事项：

1、当LDAP客户端使用SSL来连接这个LDAP服务器时，要配置这个CA，来对服务器进行认证；
2、当LDAP客户端使用SSL来连接这个LDAP服务器时，地址要填域控制器的完整域名，比如：
           本例中计算机名是：win2003ADC，域控制器域名为：acme.local，那么地址为：win2003ADC.acme.local；
           原因是域控件器的服务器证书是颁发给win2003ADC.acme.local的。可在“开始/管理工具/证书颁发机构(Certification Authority)/颁发的证书”查看：

3、要使用域名来连接LDAP服务器，那么要在这台服务器上安装DNS服务，并且要把测试的客户端PC的首先DNS服务器设置为这台LDAP服务器的IP。
4、可使用LdapAdmin来验证连接：
首先在XP上安装这个CA到“受信任的根证书颁发机构”，然后LdapAdmin配置如下：